Research On The Legal System Of Personal Information De-identificatio

In the period when big data is prevailing,personal information is being collected all the time and has been essential to the development of the data industry.Thanks to the uploading of personal information,users can enjoy personalized network services.But it also presents personal and property security risks.De-identification can reduce the relevance between information and a specific individual so that the processed information cannot identify the subject of personal information without additional information,which is widely used in data processing practice.In order to optimize the effect of de-identification and reduce the compliance costs of enterprises,it is necessary to build and improve the de-identification legal mechanism.As a beneficial practice to make balance of interests between the information subject and the personal information processor,the de-identification stipulation should become an important part of the personal information protection system,and on this basis,a hierarchical and classified personal information protection mechanism should be established.Previous researches mainly focused on the challenge of anonymisation,sorting out the contents of the anonymisation system,and demonstrating the necessity of classified personal information protection.They rarely discussed how de-identification can be the basis of classified personal information protection system as a kind of safety technical measure,and how to build and improve the personal information deidentification system.The methods applied in this paper include comparative analysis,literature study,and normative analysis.By comparing the domestic and overseas personal information de-identification and anonymisation systems,the key issues of the de-identification system will be discussed,including the object type of deidentification,the setting of legal standards,the distribution of processors’ responsibilities,and supporting regulatory measures.The discussion is aimed to provide some advises for improving the de-identification system in the future.Although the de-identification system has a theoretical and practical research basis in China,the legal system construction is still at the earlier stage,and there are many issues,like unclear legal standards,imperfect normative system,limited regulatory effectiveness,inadequate administrative supervision,lack of self-discipline mechanism,etc.So the system design should always focus on the institutional goal of balancing personal information protection and data utilization,clarify the types of personal information applicable for de-identification,determine the legal standards for deidentification,reasonably distribute the relevant legal obligations of personal information processors,and adopt diversified supervision methods.The first part attempts to sorts out the basic topics of the personal information deidentification system,including the discrimination of basic concepts,the study of relevant theories,and the design of the existing legal framework in China.The basic concept part aims to clarify the legal definition of "de-identification",distinguish it from similar concepts such as "anonymisation","pseudonymization" and "data desensitization",and discuss the necessity of de-identifying personal information.The theoretical research part aims to analyze the theories closely related to the construction of the de-identification system,such as identity recognition standards,privacy expectation,and self-determination right,and discuss the theoretical basis of the system.Finally,the contents and deficiencies of the de-identification system under the current legislation are discussed.In the second part,the objects of de-identification are divided according to their purposes,processing stages,and application fields,and the different requirements for de-identifying of different types of personal information are analyzed based on the data life cycle theory.The de-identification is primarily targeted towards commercial personal information that will be put into use,because this kind of personal information has a great demand for circulation and is difficult to be supervised,resulting in great information security risks.For personal information in the financial and medical fields and personal movement track information,which has become the basis of social governance,due to higher sensitivity than general personal information and stronger protection needs,the de-identification of such personal information should meet higher standards,and the restrictions on subsequent processing behavior should be stricter.The third part discusses the legal standard according to domestic and foreign regulations.The determination of de-identification standards can provide guidance for evaluating the de-identification effect,which will not only help the orderly implementation of de-identification by enterprises but also helps government supervision activities carried out smoothly.Combining the useful experience of foreign legislation,de-identification standards should focus on identification ability,attach importance to the assessment of re-identification risks,and take into account the identification probability of data itself and environmental factors of personal information processing.For professional re-identification risk calculation methods,popular explanations should be provided in the future to facilitate understanding and application in personal information processing activities,regulatory assessment,and other practical operations.The fourth part discusses the distribution of legal obligations and liabilities of personal information processors and the transformation of supervision mode under the de-identification system.Setting reasonable legal obligations and adopting mixed supervision methods are important means to enhance the effectiveness of the system and promote implementation.The distribution of legal obligations should distinguish between general personal information processors and high-risk personal information processors.Large platforms have great advantages in personal information processing quantity,processing technology,collection channels,and other aspects,so they should undertake special obligations different from ordinary personal information processors.In terms of supervision mode,diversified supervision means should be adopted,such as administrative punishment,industry self-discipline,adding third-party certification mechanism,etc.